ohnosequences/sbt-s3-resolver

AWS S3 based resolver

Alexey Alekhin

@laughedelic

check out this: https://github.com/ohnosequences/sbt-s3-resolver/tree/v0.12.0

Matthew Stafford

@m-stafford

Ahhh, gotcha!

Thought it might have been something like that. Thanks!

Alexey Alekhin

@laughedelic

:+1:

Dean Chen

@deanchen

is there a way to use BasicAWSCredentials with the resolver? I'd like to check in my aws creds in to my private repo

Alexey Alekhin

@laughedelic

Hi @deanchen! I don't see an obvios standard way to get a credentials provider from the basic credentials, but it's easy to achieve by just implementing it's interface:

import com.amazonaws.auth._

s3credentials :=  
  new AWSCredentialsProvider {
    def getCredentials(): AWSCredentials = new BasicAWSCredentials("bar", "buh")
    def refresh(): Unit = {}
  }

Dean Chen

@deanchen

ah ok, that's perfect, thanks!

Alexey Alekhin

@laughedelic

:wink: :+1:

Ryan Means

@rmmeans

I hate having to bring up topics like this, but why the license choice for this repo? I totally get it for your other projects as it keeps people from profiting from your work and selling it as their own - but this project's whole point is to integrate it into likely closed source repo's (it if was open source, I wouldn't be publishing to S3, I'd just go to maven central, etc!) My concern is that in a legal battle, one might argue that my private project because it's using this project in its build.sbt file must now also be fully open source? I know the license issue is one of the big reasons the frugal mechanic project got started, but this project seems to be much more maintained and active, and I'd much rather use and contribute to it. Just wish it had a different license? I know y'all probably wont' change it, just curious the history behind the choice for this project?

Eduardo Pareja Tobes

@eparejatobes

hey @rmmeans

no problem with the topic

so why AGPLv3

is just a matter of simplicity

we're fine with anyone selling whatever

as long as it's open too :)

anyway

for private projects

in a lot of cases AGPLv3 is not a big issue

the requirement is over users of your app

so for something internal

Ryan Means

@rmmeans

Yeah, I'm specifically bringing up private projects here where the project might be for some API for our business that customers hit. All the other licenses used by our API allow us to keep the project private and not share our API source to the world, but that last step in our build process of publishing this thing to a private s3 maven repo that now forces me to open source my whole API is a little disappointing because using your s3-resolver is just part of the process for the build management - I wasn't profiting off of the project for my API itself. So it's not that I really have a problem with y'all using APGLv3 for all of your other stuff, because that makes sense based on your business goals for your other intellectual work, but for a build process tool, it just kind of bugs me :smile: given that your work didn't assist in me in creating the intellectual work of what I'm trying to keep private, it only assisted in the process part of efficiently storing or retrieving my compiled work. For now, I've just being using the other library from frugal mechanic, but part of my developer soul is bleeding knowing there is a better project out there, but I can't use it :smile:

Eduardo Pareja Tobes

@eparejatobes

@rmmeans yep I understand. It's just that we decided to keep everything AGPLv3; dealing with different licenses, compatibility, is this linking or not, etc takes a significant amount of time that we think it better spent anywhere else :)

Eduardo Pareja Tobes

@eparejatobes

Anyway, if there'd be someone else maintaining this

we could maybe move it to the sbt org

relicense it etc

that could be an option

Ryan Means

@rmmeans

now I totally get that! In fact, I figured that's what it was :smile: Be awesome to get some wider community effort behind it and move it over to the sbt org, etc. Anyways, thanks for the good conversation. I'll be continuing to watch the project over time. Good work!

Mark Pierotti

@mopierotti

Hi, thanks a ton for the useful package, but looks like this package is no longer available from your repo at https://s3-eu-west-1.amazonaws.com/releases.era7.com/, is that intended?

Eduardo Pareja Tobes

@eparejatobes

Hey @mopierotti

That sounds strange, we resolve from there daily

Maybe a misconfiguration, or something region related?

Proxies?

Alexey Alekhin

@laughedelic

@mopierotti if you still have the problem, show us you sbt config (the one in the project/ folder)

Benjamin Rizkowsky

@benoahriz

I was hoping to find some info about what buckey policies are needed to make this work. I keep getting a 403 from amazon however I am able to use the aws-cli to put files in my bucket using the same profile/creds

   "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": "s3:ListAllMyBuckets",
            "Resource": "arn:aws:s3:::*"
        },
        {
            "Effect": "Allow",
            "Action": [
                "s3:ListBucket",
                "s3:GetBucketLocation"
            ],
            "Resource": "arn:aws:s3:::xxxx"
        },
        {
            "Effect": "Allow",
            "Action": [
                "s3:PutObject",
                "s3:GetObject",
                "s3:DeleteObject"
            ],
            "Resource": "arn:aws:s3:::xxxx/*"
        }
    ]
}

that is an example of the bucket policy i'm currently using

Access Denied (Service: Amazon S3; Status Code: 403; Error Code: AccessDenied;

Benjamin Rizkowsky

@benoahriz

using a separate account works fine but has access to everything. Im trying to lock the account down to the minimum needed permissions

   "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": "s3:ListAllMyBuckets",
            "Resource": "arn:aws:s3:::*"
        },
        {
            "Effect": "Allow",
            "Action": [
                "s3:ListBucket",
                "s3:GetBucketLocation"
            ],
            "Resource": "arn:aws:s3:::xxxx"
        },
        {
            "Effect": "Allow",
            "Action": [
                "s3:*"
            ],
            "Resource": "arn:aws:s3:::xxxx/*"
        }
    ]
}

this seemed to work fine

Alexey Alekhin

@laughedelic

hi @benoahriz.
As I see from the code in ivy-s3-resolver (which is used in this plugin), there is no much happening besides listObjects/putObject actions..

probably s3:PutObjectAcl is needed? (here)

on the other hand s3:DeleteObject is not needed, because resolver cannot delete a published artifact

Benjamin Rizkowsky

@benoahriz

cool thanks @laughedelic I’ll try it

Alexey Alekhin

@laughedelic

I've just tested it and I think s3:PutObjectAcl is the missing chain. Here is the policy which I successfully used for publishing and resolving:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "s3:ListBucket"
            ],
            "Resource": "arn:aws:s3:::bucket.name"
        },
        {
            "Effect": "Allow",
            "Action": [
                "s3:PutObject",
                "s3:PutObjectAcl",
                "s3:GetObject"
            ],
            "Resource": "arn:aws:s3:::bucket.name/*"
        }
    ]
}

In theory s3:CreateBucket may be also needed if you publish to a non-existing bucket.

@benoahriz thanks for raising this concern, I should add this to the readme. Tell me if it works for you now.

Benjamin Rizkowsky

@benoahriz

yeah i’ll test it and let you know

Alexey Alekhin

@laughedelic

:+1: :shipit: :satisfied:

Benjamin Rizkowsky

@benoahriz

i tested it and it worked fine i sent a pr for the readme

Where communities thrive

People

Repo info

Activity